In yet another reason showing why Adobe Flash needs to die as soon as humanly possible, Adobe has released a fix for a major vulnerability in the program. The vulnerability (CVE-2018-15981) is a confusion vulnerability and allows for remote code execution. When discovered, and disclosed, by Israeli researcher Gil Dabah on his blog, it was clear that all OS types were affected (including Windows, macOS, Linux, and Chrome OS).
Dabah gives an overview of the vulnerability as follows, stating “the interpreter code of the Action Script Virtual Machine (AVM) does not reset a with-scope pointer when an exception is caught, leading later to a type confusion bug, and eventually to a remote code execution.” What he found to be rather frustrating is how dumb the vulnerability is, namely the fact that it should have been easily caught prior to his own disclosure. He voices this irritation in the closing paragraph of his blog post:
When I found this bug at first, I thought there’s small chance it’s a real bug. Particularly, I had my doubts, because the chances to have a forgotten/dangling with-scope is high in a normal Flash application. So how come nobody encountered this bug before as a misbehavior of their app? E.G. by getting a wrong variable, etc. Apparently, the combination to cause this scenario accurately is not that high after all.
Good bye Flash, you’ve been kind…
The sarcastic comment at the end really sums up, at least in my opinion, the general consensus of the cybersecurity community regarding Adobe Flash. The official phasing-out of the program could not have come sooner as this piece of technology has proven to be a consistently exploitable avenue for black hats over the years. In many ways, Flash should have already died off, but as it is with certain technological elements like popular OS versions, or in this case programs, some people hang on much longer than is truly warranted.